Minikube | Ingress Service - Bad Request - kubernetes

I'm working on a single-node cluster which works fine with docker-compose but the reconfiguration of the same setup using Minikube Ingress Controller gives me a Bad Request response.
Bad Request
Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.
My Ingress looks like this:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nginx-ingress-service
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/rewrite-target: /
nginx.ingress.kubernetes.io/ssl-redirect: "false"
spec:
rules:
- http:
paths:
- path: /?(.*)
pathType: Prefix
backend:
service:
name: emr-cluster-ip-service
port:
number: 443
- path: /?(.*)
pathType: Prefix
backend:
service:
name: erp-cluster-ip-service
port:
number: 8069
How to fix this?

You are exposing HTTPS service on HTTP ingress, which is not the right thing to do. You might want to do one of the following:
Configure TLS-enabled ingress.
Configure TLS passthough on ingress object.
In both cases you also need to set nginx.ingress.kubernetes.io/ssl-redirect: "true"

Related

How to ByPass Traffic directly to Backend from K8S NGINX Ingress Controller

OAUTH2 is used for authentication and the OAUTH2 proxy is deployed in Kubernetes. When a request is received by the NGINX Ingress controller, it always routes the traffic to OAUTH proxy. The requirement is when the request contains a specific header (For example: abc) then those requests should be routed directly to the backend. Those shouldn't be routed to OAUTH proxy. Can this be done using some sort of an annotation in NGINX Ingress controller? Can we by pass those traffic going to OAUTH2?
You may want to have a look at https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#canary
Let's say you have a normal Ingress:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-backend
spec:
ingressClassName: nginx
rules:
- host: XXX
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: backend
port:
number: 80
Set the header name and value for your desired backend on a second Ingress, with canary enabled.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-backend-header
annotations:
nginx.ingress.kubernetes.io/canary: "true"
nginx.ingress.kubernetes.io/canary-by-header: sample-header
nginx.ingress.kubernetes.io/canary-by-header-value: abc
spec:
ingressClassName: nginx
rules:
- host: XXX
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: backend-with-header
port:
number: 80
Now, every request with sample-header: abc routes to the second ingress/service. Any other value, e. g. sample-header: test, will route to the first ingress/service.

Nginx Ingress path rewriting does not forward to specified endpoint in Kubernetes Cluster

In our Kubernetes Cluster we have a micro frontend, which is accessable under image-self-service:8080 without any additional path. To be able to use it in a bigger application I want to use an Nginx-Ingress to reroute from url-to-site/profile to image-self-service:8080/.
I have found and read this SO post, thats basically asking the same thing:
Remove routing path from Kubernetes ingress and the linked documentation here:
https://github.com/kubernetes/ingress-nginx/blob/main/docs/examples/rewrite/README.md
which resulted in me using a .yaml for my Ingress that looks like this: (sensitive Information removed)
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/proxy-body-size: "50m"
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
nginx.ingress.kubernetes.io/enable-cors: "true"
nginx.ingress.kubernetes.io/cors-allow-origin: "*"
nginx.ingress.kubernetes.io/cors-allow-methods: "PUT, GET, POST, OPTIONS, DELETE"
nginx.ingress.kubernetes.io/cors-allow-headers: "DNT,X-CustomHeader,X-LANG,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,X-Api-Key,X-Device-Id,Access-Control-Allow-Origin"
nginx.ingress.kubernetes.io/rewrite-target: /
name: intranet-backend-ingress
namespace: intranet
spec:
rules:
- host: xxx-test.xxx.xxx
http:
paths:
- backend:
service:
name: image-self-service
port:
number: 8080
path: /profile(/|$)(.*)
pathType: Prefix
- backend:
service:
name: intranet-ui
port:
number: 8080
path: /
pathType: Prefix
...
For readability I also removed other endpoints which are more specific as I don't think those interfere.
I have tried using nginx.ingress.kubernetes.io/rewrite-target: / and nginx.ingress.kubernetes.io/rewrite-target: /$2
If I remove the rewrite-target and add a specific path, the forwarding works but with the additional path, so it results in a 404 from the underlying webservice. The Response I get using the rewriting is simply: 404 page not found which I believe to be an Ingress message.

K8S traffic to one service via two separate ingress (http + https)

So I have a bunch of services running in a cluster, all exposed via HTTP only ingress object, example:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /$2
name: some-ingress
spec:
ingressClassName: nginx
rules:
- http:
paths:
- backend:
service:
name: some-svc
port:
number: 80
path: /some-svc(/|$)(.*)
pathType: Prefix
They are accessed by http://<CLUSTER_EXTERNAL_IP>/some-svc, and it works ofc.
Now I want to create an additional ingress object for every service which will force SSL connections and allow the use of a domain instead of an IP address.
The problem is that the newer SSL ingresses always return 404 while testing the connection.
The manifests are as follows:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: "some-ingress-ssl"
annotations:
ingress.kubernetes.io/ssl-redirect: "true"
ingress.kubernetes.io/app-root: "/some-svc"
spec:
tls:
- hosts:
- foobar.com
secretName: foobar-tls
rules:
- host: foobar.com
http:
paths:
- path: /some-svc(/|$)(.*)
pathType: Prefix
backend:
service:
name: some-svc
port:
number: 80
tests (foobar.com point to CLUSTER_EXTERNAL_IP):
> curl -I http://<CLUSTER_EXTERNAL_IP>/some-svc
HTTP/1.1 200 OK
> curl -I https://foobar.com/some-svc
HTTP/2 404
Is it possible to have both ingresses simultaneously? (one enforcing SSL, the other not)
If so what am I doing wrong here?
Figured out I was missing this annotation:
nginx.ingress.kubernetes.io/rewrite-target: /$2
in SSL ingress...
works like a charm now, maybe someone will find this usefull

Can I have both http and https in Ingress configuration?

I have ingress yaml like below which makes ingress to proxy HTTPS to HTTP connection. I'm confused how can I make this same ingress to process also HTTP to HTTP connection. Meaning I want it to use the same rule for both incoming HTTP or HTTPS. Removing tls portion makes it work with HTTP but adding it stops HTTP and makes it HTTPS only. Is it limitation of Kubernetes which prevents both HTTP and HTTPS routing in the same ingress controller?
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress
annotations:
kubernetes.io/ingress.class: azure/application-gateway
spec:
tls:
- hosts:
- "*.mydomain.com"
secretName: aks-ingress-tls
rules:
- host: "*.mydomain.net"
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: frontend-service
port:
number: 80
You should redirect the HTTP request to your HTTPS listener. The requests hitting your Azure LB 80/443 listeners will be handled in the same way.
Due to Azure App gateway limitation, you cannot use a wildcard host in your ingress rules and you have to use workarounds.
See: https://azure.github.io/application-gateway-kubernetes-ingress/annotations/#ssl-redirect
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress
annotations:
kubernetes.io/ingress.class: azure/application-gateway
appgw.ingress.kubernetes.io/ssl-redirect: "true"
spec:
tls:
- hosts:
- "*.mydomain.com"
secretName: aks-ingress-tls
rules:
- host: "www.mydomain.com"
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: frontend-service
port:
number: 80

Kubernetes fanout ingress but with the root domain serving the client

I'm having trouble getting my client container talking to the API container, I was hoping to use a fanout ingress as so:
foo.bar.com/api - routes to API container
foo.bar.com - routes to client container
My setup does render the client no problem, but all calls to the API result in 404s - so it's obviously not working. I think the 404 behaviour is a red herring, it's probably looking for Angular routes that match /api and can't find any, I don't think the routing is even happening. My Ingress yaml is below, I can share any other parts of the config if needed. Any pointers much appreciated!
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
namespace: foo-bar
name: foo-bar-ingress
annotations:
kubernetes.io/ingress.class: nginx
certmanager.k8s.io/cluster-issuer: letsencrypt-prod
nginx.ingress.kubernetes.io/from-to-www-redirect: "true"
spec:
tls:
- hosts:
- foo.bar.com
secretName: tls-secret-prod
rules:
- host: foo-bar.com
http:
paths:
- backend:
serviceName: server
servicePort: 3000
path: /api
- backend:
serviceName: client
servicePort: 80
path: /
As suggested by #HelloWorld in the comments, checking the api server routes revealed the issue to be misconfigured routing in the server not the ingress rules.